Intel disclosed another set of processor flaws today that could let attackers steal information stored on computers or third party clouds. Discovered by a number of researchers and reported to Intel in January, the vulnerability includes three varieties. The company said in a blog post that when combined with updates released earlier this year, new updates being released today should protect most users from the vulnerability. “We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” said Intel.
The company has dubbed this set of flaws L1TF, or L1 Terminal Fault. It said today that two of the varieties can be mitigated with the updates available now, but the third, which only affects a subset of users — such as certain data centers — might require additional steps to be taken. You can learn more about the varieties in the video below.
The researchers that spotted the vulnerability have described an attack that takes advantage of it here. They’re calling it Foreshadow. L1TF affects Intel’s Software Guard Extensions (SGX) feature and the researchers said after the Meltdown and Spectre discoveries, looking at SGX was the next step. “When you look at what Spectre and Meltdown did not break, SGX was one of the few things left,” system security researcher Daniel Genkin, who contributed to the Foreshadow discovery, told Wired. “SGX was mostly spared by Spectre, so it was the logical next step.”
Following the Spectre and Meltdown debacle, Intel expanded its bug bounty program, opening it up to more security researchers and offering larger rewards.